Bot Block
Overview
Script
Get a list of top user agents (bot nets will only have a few and there will be tons of hits)
[bash,n]
tail <DOMLOGFILE> | cut -d '"' -f6 | sort | uniq -c | sort -n
Block those user agents
[bash,n]
- !/bin/bash
logperiod=`tail -1000 <FULL DOMLOG FILE>` logrotate=10000 useragents[0]='Opera/9.02 (Windows NT 5.1; U; ru)' useragents[1]='Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)' useragents[2]='Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1'
function plog {
echo "[ `date` ] $1" >> /var/log/rubotblock
if [ "`wc -l /var/log/rubotblock | awk '{print $1}'`" -gt "$logrotate" ]
then
sed -i -e "1d" /var/log/rubotblock
fi
return
}
function botblock { agentlen=${#useragents[@]}
for (( u=0; u<${agentlen}; u++)); do for i in $(echo "$logperiod" | grep "GET /" | grep "${useragents[$u]}" | cut -d " " -f1 | sort | uniq | sort) do plog "Attempting to block $i ${useragents[$u]}" plog "`/usr/local/sbin/apf -d $i "RU Botnet IP (${useragents[$u]})" 2>&1`" done done
}
if [ ! -e "/var/run/.rubotblock" ] then
botblock
else
plog "Lock file found, swap may be already clearing"
opid=`cat /var/run/.rubotblock`
if [ ! "`ps ax | grep $opid | grep ${0##*/}`" ]
then
plog "PID not active or not owned by swapclean, clearing pid file"
rm -f /var/run/.rubotblock
botblock
else
plog "Swap already being cleared, PID active"
fi
fi
